Posted
by
CmdrTacoon Thursday December 18, 2008 @10:34AM
from the open-source-is-faster dept.

drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"

True, true, and true. But that doesn't change the fact that IE only runs on Windows and 99% of Windows users have Automatic Updates turned on, usually checking weekly. So you're usually looking at a max "lag time" of seven days before an IE user gets the patch. And that assumes the worst possible case: the patch releases right after that user's computer was updated, and they use their computer (and IE) every day.

While I would agree with you in theory, your ideas don't match up with what I've seen in the real world.

Until recently I worked in a mom and pop PC repair business. About 9 out of 10 systems I worked on were out of date, typically by a few months. I don't know for sure, but my guess is that users are switching auto-update off because can't be bothered with 'nag' messages from their software.

Granted, the machines I saw were generally dying, so it may not be a fair cross-section of home computer users. Still, the idea that 99% of home users should have new patches within a week flies in the face of what I saw every day.

You haven't taken into account that the users you're used to running into aren't the best users. If people kept their machines updated and running properly, you wouldn't see them. Its like a cop saying everybody is a criminal because a majority of the people he sees are criminals.

I'm not saying that the other guy is right, but when it comes down to it, neither of you really have much to go on. From my experience, if auto update is turned on to download and install automatically very rarely gets turned off

I work for a school district, cyber-schooling. Ours may not be a scientifically valid cross-section either, but I'd say 6/10 or more machines either have WUAU turned off (the more advanced kids) or they simply hit the 'go away' button and never reboot to apply updates.

If you have pending updates, suspend/resume at night, and never manually reboot, WUAU will NOT apply further updates till the pending ones go on. I've had machines 6 months and more out of date (coming in today with XP SP2) on a regular basis.

One annoying little feature of XP updates... You can choose to apply updates and shutdown, but you can't choose to apply updates and restart when you go to the shutdown menu. There are many times I'm heading to a meeting or whatever, and wouldn't mind it downloading, installing, and restarting, all ready for me when I come back. I don't want to come back and have to boot it up.

Yeah, cause Active Directory scales great over the internet, and EVERYONE has a 100Mb connection or better at their place of business.

We're physically discontiguous and your solution, while what I would do (and have done) in single site or robust WAN environments, simply does not work with the tools I have at hand and the geographical barriers I have to hurdle.

So yeah, you pass the MCSE exam but fail the Real Life test. Not everything can be solved by dropping WSUS onto an underutilized server and defining

Yeah, I'll just add a DC to each of the 400 students scattered to Hell and gone all over the state. When I say geographically separated, I don't mean we have a stretch between buildings, I mean we have counties between each student and the next.

I know the suggestions are a healthy mix of 'how I'd do it' and 'UR DOIN IT RONG', but I'm really one of those cases where the MS Way simply will not work, no matter how much or little I'd like it to.

It's fairly easy to check for yourself - compile int main() { getch(); }, run it, and see what you can do with executable. You will see that you cannot delete it, but you can rename it (and after you rename it, you can create a new file with the same name; you cannot do it before that).

The same is also true for Firefox. I've encountered quite a few folks that turn off auto updates on FF because they find the updates annoying. Usually because they have so many extensions that each update warns that it will break compatibility with at least one.

Many users turn off their computers whenever they're not being used. Many of their auto-updates are configured to run their updates at midnight. Ergo, no updates. I have to deal with this every time I visit my grandfather, his machine is always in need of updating.

My experience is that the Auto Update mechanism in Firefox is flawed. A number of these PC's never trigger to be updated even if they are months behind. One of my Windows 2000 servers often takes about a week before it's auto updated.

Experience shows that it doesn't check for an update at every launch. And that sometimes it gets stuck, something gets corrupt, and not until you ask it to check will it check again.

Granted, this is much better than most software. However the update mechanism needs work.

Microsoft signs/encrypts and then checks the IE package signature. As much as a dog Microsoft, their update mechanism is one of the best.

Well, let's just say that the other day I found out my roommate was using version 1.5.

The inability to upgrade across major versions is one of the weaknesses in Firefox. I was hoping that that last 2.x patch would add a bar at the top telling people to download FF3 if not upgrading its update tool to handle the transition.

Another weakness (in both WU and FF) is that neither will ask the user to log in as admin and install updates. WU will just do it and reboot the computer in the middle of whatever you we

True, but I have seen many setups with automatic updates turned on, but IE6 being used. You have to explicitly select IE7 to install. So even if their system is updated, they are still exposed to many more problems.

There is not a 7 day lag time, at least on Vista. I got a notice of new updates Tuesday, ran it yesterday and immediately after installing those, it popped up with another, new update--the IE patch. I always get a notice the day any patches or updates are released.

I think Windows/IE's biggest problem is that they want to authenticate that the version the user has is legal. That's understandable for an anti-pirating measure, but what it ends up doing is leaving thousands of computers open to vunerabilities t

Even if Microsoft determines that your copy of Windows is pirated (false-positive issues aside), you're still able to receive security and critical updates. However, I believe only through the automatic updates mechanism, going to the Windows/Microsoft update web-site will fail during scanning due to a piracy check failure.

Of course, the above doesn't apply to Vista and newer which dumps the dependency on updating through a website in favour of a Windows Update control panel applet.

You shouldn't have to update the OS to update the browser. When I first installed XP, I had automatic updates turned on, but the very first one overwrote my perfectly good network driver with one that didn't work. I had a hell of a time figuring out what was wrong; the cable modem was sitting on the floor that morning so I thought the cat had knocked it off and broken it.

Anyone who has an experience like this either shuts off installing updates automatically, or is brain dead. I question the "99%" figure I

Just for clarification, this is only true for the version of Firefox you installed from Ubuntu's repositories. You can install the version provided by Mozilla and it should have it's own updater enabled.

The automatic update system in Windows is far from perfect, and doesn't allow users the granularity of saying "yes, update my browser but no, leave the rest of my system alone."

Also, telling it you want to be notified of available updates (similar to Firefox's behaviour) is nowhere near as convenient as the way Firefox handles simply installing its own update and then restarting with your windows and tabs reopened to where you were last.

With Vista they've made it doubly annoying, as Windows Defender gets updates *all* the time. So if you've got it set to notify, you get a whole lot of nagging. If only you could pre-approve Windows Defender updates...

Well the inherent problem with auto updating IE is its tight intergration into the OS. Were IE more like a regular browser the mechanisims would be different for doing updates. While Windows Update service isn't perfect I wouldn't say Firefox auto update is either. You can choose not to auto update if you wish. So which is worse, choosing to update or to not update?

Yes you can. The auto update settings: 1. download and install everything. Or 2. download and tell me there are updates ready to be installed. Or 3. do not download but tell me there are updates.

With 2 or 3 you can pick the updates to install. You click on the update icon in the lower right on the task bar (unless you moved it to a different location). Choose custom install. Do not select express. Express will install everything. Custom will let you pick which ones to install. With 2 if you just shut down a

Most users aren't that bright. Hell, most users aren't bright enough to set automatic updates to 'download and notify'. Seriously.

I look upon myself as brighter than 'most users', but I just install every update to Ubuntu and FF plugins without question. With updates arriving seemingly every second day, I do a lot of approving without examining the details.

There is no separate auto-updater for Safari, either. The standard for OS integrated browsers is to do it this way, because it has so much of an impact on the rest of the system.

I also think that if the user is bright enough to get to the point where they are looking at the list of updates, they should be smart enough to comprehend that "IE security Patch" applies to internet explorer. But yes, most people aren't smart enough to get to that point, but as others have said they shouldn't get that far for t

Actually, you can - I've done exactly this on my home PC, which was installed from a corporate license (had an MSDN subscription at the time). You need to go through the process manually once - you select everything other than WGA, and when it asks if you really want to ignore that update, you check the box that says something like 'Never ask me about this update again', and click OK. Now, I still get all the critical updates installed automatically, but never have WGA installed on my PC. It's been like that for several years now.

I did that for years but at one point (I think before SP2) it refused to download any more patches until I updated WGA. I'm pretty sure MS Update checks to make sure your WGA is recent. Granted I have a consumer license and not a corporate one. The vast majority of home users have my type of license and not yours.

Well, Firefox's update system is hardly perfect either. If you run with the default settings it suddenly, without notice, declares that it's installing an update (why? what's changed?). And it's likely to disable a raft of plugins in the process. Of course this behavior can be changed, but so can the automatic settings for Windows Update.

FF's approach is also not optimal if you're administering more than a handful of machines.

Err? When there are updates, I can cherry pick which ones I want from a list with checkboxes, and click "Install", and do so ONLY for the ones I want. Some non-security related updates are irrelevent to me, so I left them to rot for months... I can even hide them so it never asks me about them ever again.

Internet Explorer may not have an auto-update system, but Microsoft Windows has an update system rivaling that of Ubuntu and OS X in automaticness, if not scale.

Since Windows encourages users to allow automatic updates installed at 3am every morning and also by default installs any pending critical updates at system power down, it doesn't seem like any supported version of Internet Explorer should remain unpatched for too long.

I even find it awkward that no popular linux distribution checks and proposes security updates at bootup.

I have an ASUS laptop that runs Ubuntu 8.04. I turned it on, turned on the Wi-Fi radio, and started Firefox to look up something about reenactment costuming. After a few minutes, I noticed the update icon in the tray. One of the updates was Mozilla Firefox 3.05. I clicked download and apply, and it was done. So yes, Ubuntu automatically "checks and proposes security updates".

I bet you have two blue arrows that point to each other in your tray. If Ubuntu checked and applied security updates at startup, you wouldn't need to reboot after applying them. I think that's what he's saying.

You never need to restart after a security update anyway. Most of the updated software restarts itself via package install scripts. It is a rare event such does not happen (kernel / driver updates, essentially). Sometimes logging out and in is a decent measure to be certain.

Firefox doesn't do tray icon notifications. And distribution-provided Firefox packages disable the auto-update, which wouldn't succeed anyway as the user running FF is not supposed to have write access to/usr. Instead, the distrib's auto-update mechanism handle it (apt for Ubuntu/Debian, yum for RedHat/Fedora, emerge for Gentoo, yast IIRC for Suse and so on). This is better on many levels, since it prevents a user process from altering the binary.But you can also download the official Linux tarball and deploy it to your home directory; the FF update mechanism will handle it.

No, you are completely wrong. Firefox's built-in auto update is disabled on Ubuntu. There is a built in update service which notifies you of updates automatically, pretty much the same way that windows does.

Internet Explorer may not have an auto-update system, but Microsoft Windows has an update system rivaling that of Ubuntu and OS X in automaticness, if not scale.

Since Windows encourages users to allow automatic updates installed at 3am every morning and also by default installs any pending critical updates at system power down, it doesn't seem like any supported version of Internet Explorer should remain unpatched for too long.

Ubuntu and Mint, at least, check daily. In Ubuntu when there are security updates you see a red arrow in the notification area, when non-security updates are available you see a orange sun(?). Also, if you go to "System"->"Software Sources" and then the "Updates" tab you can set it to apply security updates automatically (this really should be default, IMHO).

I still think Ubuntu's update system rivals Windows and OS X as it not only updates the base OS and OS vendor applications, it updates everything on the system.

They spam Silverlight 2.x install on the pages instead of "update your Internet Explorer NOW!" in same fashion. I call it "spam", total spam I tell you. It is like whole page darkens before you can click anything and middle of page, there is "Install Silverlight Now!". Based on the hugeness of the security bug, I would cheer if they showed that IE warning in ALL MS sites including MSN. I saw MSN too, it has 1 liner "Download urgent Internet Explorer update". Of course it was blocked by "See your specific country page now!", another pop-in trick.

What kind of purpose will Silverlight 2 serve at Support pages to "enhance" my experience besides not being Adobe Flash?

Oh BTW, guess what XP SP3 installs. Flash Player 6. Yes, SIX. On the other hand, Apple updates all their customers Flash to secured 9.x version.

They really believed that buying Yahoo for 46 billion would fix that logical problem?

It's harder to avoid than you seem to think. If you use Windows help to view.chm files, you're using IE. Usually they stay local, but many help files do includelinks to web pages, and then you're out in the real world.

It's harder to avoid than you seem to think. If you use Windows help to view.chm files, you're using IE. Usually they stay local, but many help files do include
links to web pages, and then you're out in the real world.

No -- Firefox is at the disadvantage. If you're a single user running as administrator, its auto-update is great. However, the users (all running limited accounts) on our Windows/Samba network will have to wait until I install the new update manually because there is no built in mechanism for administrators to push out updates.

And should I use my cobbled together scripts to push out a security update for Firefox on the last day of finals when it might break everything, or should I wait until Monday?

On the other hand, the WSUS server that I set up worked exactly like it was supposed to last night.

You are right.The strange thing is that some FF updates do get installed with XP's "Limited User" accounts but some just fail.No rhyme, no reason.For those that failed I had to log on with an Admin account and let the FF update install.

FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.

FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.

No, I don't want another mysterious service that runs in the background doing whatever it feels like without explicit approval.

Firefox for windows needs to start deploying the program as a regular.msi file (like most windows applications) so that all the existing application deployment tools will work. That will go a long way to boosting firefox among businesses & large organizations.

FF needs a updater service that runs in the System context so that all FF updates can get installed without the user being logged on as an administrator.

I would never enable that feature on my PCs. The last thing I want Firefox to do is join the ranks of Flash, Java, Adobe Reader and iTunes with nagging auto-update services that always run in the background. Often the updates aren't even critical, I think many of those 'features' are pushed by marketing departments who want to plaster your desktop with as many of their logos as possible.

...or you could change to a decent Linux distro that autoupdates everything... and the autoupdater has the privilege and not the program... or Microsoft could actually open up the Windows update system and allow other programs to use it rather than having several different ad-hoc systems ?

MS ought to create a generic update service that would allow programs to register an URL to check for updates and an update program to launch when one is available. I don't see any security implications that don't apply with every program having its own update service.

What is that thing, another overpriced piece of proprietary bloatware?On RPM based Linux distribs, it's trivial to create an RPM package of any bunch of file you have. A simple.spec file need not be more than a dozen lines to achieve this. Rpmbuild it, and voila, you've got a new package that you can push any number of ways. Just create a yum repository, again, quite a basic thing to do, and on the next update request it will be installed.So what's preventing you from doing that with FF and WSUS? FF is alm

...because its browser doesn't have a built-in update mechanism like other browser makers

At first I thought, "this isn't right", but then I realized that IE updates along with the general Windows update, and not by itself. Perhaps this is because Microsoft so tightly binds IE to the operating system that it doesn't think of it as a separate product?

No joke. I just love how some key menus that are LOCAL use IE. For example, on Windows XP the User Accounts option in Control Panel. The window that opens is not Windows Explorer but Internet Explorer. Interestingly, if your security settings are too tight you can't use that menu at all. You'd have to manage the users manually.

Pretty much the totality (with one or two exceptions) of Microsoft's products update via Windows update, From Internet Explorer, going to SQL Server, passing by MS Office. Even SQL Server's Book-Online and some built in games updates via Windows Update

I wonder how many exploits will be found in IE before they are all gone. I mean, logically, there has to be some point in the future when IE7 is totally exploit free. To bad that the cycle of software replacements wont let that happen. Given enough time, IE7 and WinXP could be some of the toughest software in existence.

I wonder how many exploits will be found in IE before they are all gone. I mean, logically, there has to be some point in the future when IE7 is totally exploit free

First, the marketing department would never let this happen. Second, if they stayed with "patch only" while the other browsers came up with new stuff nobody would use it; see what happened when they had over 90% of the market and became complacent? Of course, they weren't patching it at all then. Third, code changes often introduce bugs of their

Reality is, most IE users have no idea there is a flaw and no idea there is a patch. So the lack of in browswer auto download basically means that nothing has been achieved for "most" of their user base.

One thing I do notice about the less savvy users is that they do mostly trust windows update.

Per application autoupdates are a horrendous pain. Each one has its own, completely idiosyncratic configuration mechanism, its own schedule, and its own behavior. A lot of them will run(but fail in various annoying ways) under limited user accounts, and they are utterly useless in an environment where firewalls or similar block application downloads on client machines.

I can understand why companies use them, since the alternative typically involves things sitting unpatched for ever and ever; but the whole thing is a mess. Hurray for package management.

IE is at a disadvantage because it doesn't have a built in update mechanism? Seriously?

IE updates are managed thru a single interface, windows update, and windows update is actually one small thing windows gets mostly right. I don't want every god awful program under the sun phoning home ON ITS OWN to god knows where and updating itself without my knowledge.

However I do want a convenient method to make sure I'm getting updates I may need from a trusted source. Windows update is better than programs phoning home on their own. Short of having an update repository for 3rd party apps like Linux distros do things, thats about the best you can hope for...

That is, unless you like the google software updater, apple software updater, etc, running all the time soaking up resources and generally being non-value added.

Oh, but it's Apple/Google/Whatever, so it must be good! I mean who needs one updater talking to one central location for updates when you can have 50 updaters talking to 50 locations for updates instead?

Nevermind that WU installed this patch on my machine last night, because that's not the point.

True, but unfortunately Windows Update tends to require a reboot. The advice MS gives, leave your Windows box connected 24/7 and update at 3am, is about the worst advice I've ever heard. You'll get a lot more attacks than updates in any given day. Especially when MS is basically announcing to all the attackers what the window of vulnerability is.

So yes, technically the Windows Update feature is competently implemented, but the policies Microsoft recommends regarding its use are utterly moronic.

Or even worse than soaking up resources, suggesting new software once a week, like apple software updater. It always suggests that I need iTunes, and it always selects it by default.
If I'd wanted iTunes, I would have downloaded iTunes and not gone to the extra hassle of trying to fine Quicktime without iTunes. I don't know how it is now, but when I downloaded, it was a hassle to find these two separated.

Apple has resolved this issue. Now they try to install Safari in addition to Quicktime and Itunes.

I work with thousands of client machines in my environment - I've had experience with SUS hosing things up, but it still mostly gets things right for the updates it manages. Letting programs hose things up on their own is no better than letting windows update hose them up. In fact, judging by the way things work in Linux, I'd say managing updates centrally makes everything play better together on average. This part of yo

When FF needs to install critical patches it restarts itself & conserves as much context as possible.

When windows needs to install critical patches it reboots the system & loses all context. Even if you delay the reboot to finish critical tasks the reminder that you need to reboot pops up periodically with reboot preselected. If you were performing an unrelated task & happen to hit enter at the wrong time the system reboots without saving your work possibly corrupting it.

I've seen it happen a few times & people do switch browsers after being burnt or seeing it happen to colleagues, but I suppose you'll just stick your fingers in your ears, close your eyes & mumble your prayers to the Redmond God to spare you...

IE itself doesn't know it is out of date. Some other system is required to do that. This has been a perpetual problem for awhile now where a lot of software product out there depends on a "third party" to check for version status. If the "third party" malfunctions or is misconfiguration, the software doesn't update. Even if the software can't update it would be nice to notify the user there is a critical update to apply manually.

Firefox isn't perfect but one thing they do right is letting the user know

Had my daughter moaning on the last update. Firefox told her to update, or it did it automatically, and when it restarted Vista asked for my admin password. She was without Firefox until I came home from work. I got a bollocking. She could have used IE if she knew where to look. grrrr.

Firefox 3.0.x is only open to security and stability updates at this point, so it's highly unlikely that you'll see any increases in its Acid3 score at this point (short of the test itself changing somehow). The recently-released 3.1b2 scores 93/100 (also unlikely to change before it goes final). There are also patches posted in Mozilla's Bugzilla tracker (currently either awaiting review or needing more work to be done) that when landed will get their score up to 97/100, probably for Firefox 3.2. The only